Have you heard of the file sftp-config.json? You haven’t? Neither did we until a few weeks ago.
It is used by some SFTP/FTP clients (Sublime SFTP is one) to pre-configure SFTP/FTP connections to remote sites and it contains some useful information in there (not encrypted):
“type”: “ftp”,
..
“host”: “FTP HOST”,
“user”: “FTP USER”,
“password”: “FTP PASS”,
“port”: “21”,
Which makes a lot easier to connect and manage remote servers. However, with extra flexibility comes some serious security issues if not used properly.
First, your user and pass are not encrypted locally. Second, if you upload this file remotely, anyone will be able to see your FTP/SFTP user and password.
Nobody would do that, would they? Well, We decided to check how many sites have the sftp-config.json exposed and And hundreds of them do. And we are talking about the TOP 1m web site list (according to Alexa). We will not list the exposed sites for obvious reasons, but the number is high enough that we need to shed some light on this issue. Yes, we already emailed them to warn them about the problem; hopefully they will all act on that soon.
Checking if a site is vulnerable
A simple way to check if your site is exposing the credentials via sftp-config.json is to just query it via curl:
$ curl -D – site.com/sftp-config.json
// The tab key will cycle through the settings when first create
// sftp, ftp or ftps
“type”: “ftp”,
“save_before_upload”: true,
“upload_on_save”: true,
..
And if you find an output similar to the one above, you know it is vulnerable.
Another easy way to query for this issue is to search on Google for “tab key will cycle through the settings” (common header at the top of the file) or sftp-config.json and you will find passwords in pastebins, github repositories and other places. However, not as much success compared to when you query it directly on the sites.
Solution
The solution is simple, just make sure you never push your FTP settings to remote servers. If you think your site is compromised already, you can scan it on our sitecheck scanner: http://sitecheck.sucuri.net
How do I tell if my FTP client (Filezilla) does this?
If saving passwords is enabled (Kiosk mode = 0 in %APPDATA%filezillafilezilla.xml) then FileZilla stores credentials in plaintext in %APPDATA%filezillarecentservers.xml. Read why: http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932#p70293.
It would also help if the clients, such as Sublime’s SFTP, would offer an option to store this sensitive file away from the files that belong on the server. Does anyone know whether this is possible?